Why business is losing the war against cybercrime

New State of Cybercrime survey finds lack of risk awareness means poor defenses in the enterprise.

They include the centralization of information and tools across functions including IT, information security, physical security, HR and legal, rather than keeping them in separate repositories.

But technology is not enough. The survey quotes an FBI insider at February 2013 RSA conference, who said, "the risk from insider threats is & a people-centric problem. So you have to look for a people-centric solution."

"Poor performance, issues with colleagues, disciplinary actions, living beyond their means; these are signs that employees and managers will notice, not IT security tools," the survey said.

Insiders can also be a problem even when they're not malicious, since they can be "spear phished" — tricked into clicking on a link in an email purporting to come from a trusted source, or through social engineering.

Training and awareness can mitigate that, but John McClurg, vice president and CSO at Dell, said the skill with which spear phishers harvest details from social media sites, "even the most security aware employees can be induced into clicking in a moment of weakness."

But, he added that "great cyber intelligence is available through (different) groups, and is an indispensable asset any CSO can leverage."

There are other ways for enterprises to improve their security posture. The survey concluded that companies could defend against 80% of attacks simply through better education, IT infrastructure maintenance and monitoring.

Another 15% can be defeated through effective strategy, better awareness of the threats and good asset identification and protection. The final 5%, which come from sophisticated, nation-state actors, need to be confronted with the help of government agencies.

But that requires a cybersecurity strategy that includes planning for attacks and better sharing of information on threat levels, neither of which are being done by a majority of enterprises.

"A cybersecurity strategy is the cornerstone of protecting sensitive business assets, yet nearly 30% of companies surveyed do not have a plan. And of those that do, half fail to test it," the survey found.

Dave Burg said part of that plan means that an organization must, "understand what its critical assets are from a threat actor's perspective. Determining the most serious threat actors depends on what is being targeted."

It also found that while the Department of Homeland Security (DHS) coordinates interaction between Information Sharing and Analysis Centers (ISACs) and key sectors of the US critical infrastructure, "awareness and use of ISACs is particularly low and has not increased appreciably over the past three years, with the exception of the banking and finance industry."